Dec 29, 2014

Tools: List of Open Source Static Code Analysis Security Tools

Multiple Languages
- VisualCodeGrepper(http://visualcodegrepp.sourceforge.net/)
- YASCA
Java
- OWASP LAPSE+
PHP
- RIPS
- DevBug
C/C++
- FlawFinder
- CPPCheck
Ruby on Rails
- Brakeman

Source:: https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 25, 2014

Article-TH: บทความพิเศษในหนังสือ Network Security ฉบับก้าวสู่นักทดสอบเจาะระบบ

เอกสาร 2 ไฟล์นี้เป็นส่วนหนึ่งของหนังสือ Network Security
https://www.se-ed.com/product/Network-Security-ฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ.aspx?no=9786163354358  

บทความพิเศษ Case Study
https://dl.dropboxusercontent.com/u/2330423/Public%20Chapter/%E0%B8%9A%E0%B8%97%E0%B8%9E%E0%B8%B4%E0%B9%80%E0%B8%A8%E0%B8%A9%20case%20study.pdf
บทความพิเศษ รวมบทความพิเศษ_2557
 https://dl.dropboxusercontent.com/u/2330423/Public%20Chapter/%E0%B8%9A%E0%B8%97%E0%B8%9E%E0%B8%B4%E0%B9%80%E0%B8%A8%E0%B8%A9%20%E0%B8%A3%E0%B8%A7%E0%B8%A1%E0%B8%9A%E0%B8%97%E0%B8%84%E0%B8%A7%E0%B8%B2%E0%B8%A1%E0%B8%9E%E0%B8%B4%E0%B9%80%E0%B8%A8%E0%B8%A9_2557.pdf






If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 23, 2014

CheatSheet: Dalvik Executable (v0.99) Cheat-Sheet

Source:: https://twitter.com/binitamshah/status/538284612250644481/photo/1


 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 17, 2014

Howto: Install Parallel Tools 10 in Kali

1. In Parallel Menu, Action -> Install Parallel Tools

2. In Kali, Copy CDROM to /tmp
# cp -pvr /media/cdrom/ /tmp/parallel

3. Go to folder
# cd /tmp/parallel

4. Run Install
# ./install

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Install aircrack-ng on Ubuntu14.04


1. Install required lib
# apt-get install libnl1 libnl-dev libssl-dev

2.  Download Aircrack-ng source
# wget "http://download.aircrack-ng.org/aircrack-ng-1.2-rc1.tar.gz"

3. Unzip
# tar xzvf aircrack-ng-1.2.rc1.tar.gz

4. Compile and install
# make
# make install

5. Update
# airodump-ng-oui-update 

6. Update path
# export PATH=$PATH:/usr/local/sbin/




If you like my blog, Please Donate Me

Or Click The Banner For Support Me.

Howto: Install AWUS036NHR on Ubuntu 14.04

1. Download driver from "https://github.com/pvaret/rtl8192cu-fixes.git"
# git clone https://github.com/pvaret/rtl8192cu-fixes.git

2. Add module
# sudo dkms add ./rtl8192cu-fixes

3. Install module
# sudo dkms install 8192cu/1.9

4. Modify Blacklist.conf
# echo "blacklist rtl8192cu" | sudo tee -a /etc/modprobe.d/blacklist.conf

Source:: https://github.com/pvaret/rtl8192cu-fixes
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 16, 2014

Video: BalCCon2k14 Video

https://www.youtube.com/playlist?list=PLyHRd2YK1T4wUf0iuLNT77D4h5Ne3xBPW 


 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Video: Defcon 22 (2014) Video and Slide

https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/



 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Collected data with SSH Honeypots by Andrew-Morris

collected data over the past several months using a network of 10-20 SSH honeypots by andrew-morris



Source: https://github.com/andrew-morris/threat_research

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 10, 2014

Tools: PuttyRider - Hijack Putty sessions in order to sniff conversation and inject Linux commands.

PuttyRider injects a DLL into a running putty.exe process in order to sniff all communication and inject Linux commands on the remote server. This can be useful in an internal penetration test when you already have access to a sysadmin’s machine who has a Putty session open to a Linux server. You can use PuttyRider to take control of the remote server using the existing SSH session.

Download: https://github.com/seastorm/PuttyRider

Source:: http://seclists.org/fulldisclosure/2014/Dec/42


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 9, 2014

Tools: InsomniaShell - ASP.NET Reverse Shell Or Bind Shell

InsomniaShell is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell.
ASP.NET is an open source server-side Web application framework designed for Web development to produce dynamic Web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, web applications and web services.
It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft’s Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language.

Source:: http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: AutoScan-Network - Network Scanner

AutoScan-Network is a network scanner (discovering and managing application). No configuration is required to scan your network. The main goal is to print the list of connected equipments in your network.

System Requirements :
•Mac OS X 10.5 or later
•Microsoft Windows (XP, Vista)
•GNU/Linux
•Maemo 4
•Sun OpenSolaris

Features:
• Fast network scanner
 • Automatic network discovery
 • TCP/IP scanner
 • Wake on lan functionality
 • Multi-threaded Scanner
 • Port scanner
 • Low surcharge on the network
 • VNC Client
 • Telnet Client
 • SNMP scanner
 • Simultaneous subnetworks scans without human intervention
 • Realtime detection of any connected equipment
 • Supervision of any equipment (router, server, firewall...)
 • Supervision of any network service (smtp, http, pop, ...)
 • Automatic detection of known operatic system (brand and version), you can also add any unknown equipment to the database
 • The graphical interface can connect one or more scanner agents (local or remote)
 • Scanner agents could be deployed all over the network to scan through any type of equipment (router, NAT, etc)
 • Network Intruders detection (in intruders detection mode, all new equipments blacklisted)
 • Complete network tree can be saved in a XML file.
 • Privileged account is not required
 
 




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: THC-SmartBrute - Finds undocumented and secret commands implemented in a smartcard.

This tool finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Command line arguments

--verbose
        prints a lot of debugging messages to stderr *FIXME*
--undoconly
        only prints found instruction if its not element of the standard
        instruction list
--fastresults
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        availability.
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
--help
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.

--brutep3
        find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3


  [0x04] Examples

1. ~$ ./thc-smartbrute
        run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
        find valid instructions but only print out non-standard instructions

3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
        find the first two arguments for the GSM instruction SELECT FILE

4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
        find the 3rd argument for the already found first two arguments 
        for the GSM instruction SELECT FILE
        


Source:: https://www.thc.org/thc-smartbrute/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 3, 2014

Farlight.org - Combination of exploit-db.com and osvdb.org




Source:: http://farlight.org/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: SQLMap Tamper Script

This is the list of script for sqlmap user that want to obfuscate or bypass filter

First of all, not all scripts are created equal. Some work for general run-of-the mill sql injection attacks and others are for specific databases. Some are not actually sure if it works on all databases and some have only been officially tested against older versions of database applications. This is the very definition of hit and miss.

Source:: http://blog.netinfiltration.com/2014/09/24/sqlmap-tamper-scripts/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 1, 2014

Howto: Reset Root Password in Redhat 7

1. Reboot your OS

2. Go to Grub Boot Loader Menu

3. Edit The Grub with delete "rhgb quiet"

4. In the kernel option part, add "rd.break" and disable selinux with "selinux=0"
# rd.break selinux=0

5. Boot the grub.
# Ctrl + X

6. Remount the root partition
# mount -o remount,rw /sysroot

7.  Chroot
# chroot /sysroot

8. Change password
# passwd


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Reverse Engineering & Malware Analysis Skill




Source:: http://tylerhalfpop.com/assets/ReMaSk_big.jpg

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Install Armitage in Mac OS X Yosemite

1. Install Metasploit on Mac OS X
http://www.r00tsec.com/2014/12/howto-install-metasploit-in-mac-os-x.html

2. Install required application for Armitage
# brew install pidof

3. Download Armitage
# curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz

4. Extract and install Armitage
# tar -xvzf /tmp/armitage.tgz -C /usr/local/share
# bash -c "echo \'/usr/bin/java\' -jar /usr/local/share/armitage/armitage.jar \$\*" > /usr/local/share/armitage/armitage
# perl -pi -e 's/armitage.jar/\/usr\/local\/share\/armitage\/armitage.jar/g' /usr/local/share/armitage/teamserver

5. Create link for Armitage usage
# ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage
# ln -s /usr/local/armitage/teamserver /usr/local/bin/teamserver

6. Use it.
# msfconsole


Source:: http://hackerforhire.com.au/installing-metasploit-framework-on-os-x-yosemite/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Install Metasploit in Mac OS X Yosemite

1. Install Xcode
# xcode-select --install

2. Download and Install Java
# wget "http://download.oracle.com/otn-pub/java/jdk/8u25-b17/jre-8u25-macosx-x64.dmg"

3. Install Homebrew
# ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# brew doctor
# echo PATH=/usr/local/bin:/usr/local/sbin:$PATH >> ~/.bash_profile
# source ~/.bash_profile
# brew tap homebrew/versions
# brew tap homebrew/dupes 

4. Install nmap with brew
# brew install nmap

5. Install Ruby 1.9.3
# brew install homebrew/versions/ruby193

6. Check Ruby version
# ruby -v

7. Install Postgresql
# brew install postgresql --without-ossp-uuid
# initdb /usr/local/var/postgres
# mkdir -p ~/Library/LaunchAgents
# cp /usr/local/Cellar/postgresql/9.3.5_1/homebrew.mxcl.postgresql.plist ~/Library/LaunchAgents/

8. Start Postgresql
# launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist

9. Create user and database for Metasploit usage in Postgresql
# createuser msf -P -h localhost
# createdb -O msf msf -h localhost 

10. Install required application for Metasploit
# gem install pg sqlite3 msgpack activerecord redcarpet rspec simplecov yard bundler
# brew install libiconv
# gem install nokogiri –v ‘1.6.3.1’ -- --with-iconv-dir=/usr/local/Cellar/libiconv/1.14
# bundle install

11. Install Metasploit
# cd /usr/local/share/
# git clone https://github.com/rapid7/metasploit-framework.git
# cd metasploit-framework
# for MSF in $(ls msf*); do ln -s /usr/local/share/metasploit-framework/$MSF /usr/local/bin/$MSF;done
# sudo chmod go+w /etc/profile
# sudo echo export MSF_DATABASE_CONFIG=/usr/local/share/metasploit-framework/config/database.yml >> /etc/profile

12. Setup username, password, db for connect postgresql
# vi /usr/local/share/metasploit-framework/config/database.yml

13. Load environment
# source /etc/profile
# source ~/.bash_profile

14. Using metassploit
# msfconsole

Source:: http://hackerforhire.com.au/installing-metasploit-framework-on-os-x-yosemite/
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 30, 2014

Tools: Capture The Flag Tools and Site




Source:: http://faculty.cs.nku.edu/~waldenj/ctf/tools.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Network Intrusion Process




Source:: https://scriptjunkie.us/files/networkintrusionpostermed.png


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 25, 2014

CheatSheet: Windows Incident Response Cheat Sheet


Source:: https://twitter.com/Securityartwork/status/536905910145544193/photo/1


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: get real ip behind CloudFlare

1) Use a Resolver

 
2) Enter URL of your target site here:

3) Click Search

4) This is the plain IP
 
OR
IpLogger is a website which allows you to see traffic on imag files. 

This is a very useful method and can help you get the IP of  practically anyone if you know what to do.
1) Go to http://iplogger.org/getnewid.php and copy the 3rd link in the boxes.
2) Go to any forum where you can change your avatar. Let us use hackforums.net for this example
3) Paste the image url your retrieved from IPLogger earlier and click on change avatar. This will prompt a SQL error because the image file is way too small. Do not worry though, everything worked well. Right before the error, MaDLeeTs.CoM pinged the image and that's all we need!
4) Now, go back to IPLogger and click "View Log." button. This will forward
you to a statistics page where we can find the real IP address
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: LinEnum - Linux Enumeration Tool

For more information visit www.rebootuser.com
Note: Export functionality is currently in the experimental stage.
General usage:
version 0.5
  • Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t
OPTIONS:
  • -k Enter keyword
  • -e Enter export location
  • -t Include thorough (lengthy) tests
  • -r Enter report name
  • -h Displays this help text
Running with no options = limited scans/no output file
  • -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
  • -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
  • -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.
  • -k An optional switch for which the user can search for a single keyword within many files (documented below).
See CHANGELOG.md for further details
High-level summary of the checks/tasks performed by LinEnum:
  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask value
    • Checks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
    • Basic SSH checks
  • Privileged access:
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
    • Checks user config
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default/weak MYSQL accounts
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accessible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail

 Source:: https://github.com/rebootuser/LinEnum

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 22, 2014

Tools: .NET ExploitRemotingService (c) 2014 James Forshaw

A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on *nix.

Source:: https://github.com/tyranid/ExploitRemotingService

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 20, 2014

CheatSheet: Adb and Android Shell Cheat Sheet

https://github.com/maldroid/adb_cheatsheet/blob/master/cheatsheet.pdf?raw=true


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Slide: Web Architecture - Mechanism and Threats

This slide is my presentation that I present in 2600Thailand Meeting.

https://db.tt/Pu3MeThe


 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 17, 2014

Tools: Hamms - Malformed servers to test your HTTP client


Hamms is designed to elicit failures in your HTTP Client. Connection failures, malformed response data, slow servers, fat headers, and more!

Installation

You can either install hamms via pip:
pip install hamms
Or clone this project:
git clone https://github.com/kevinburke/hamms.git

Usage

  1. Start hamms by running it from the command line:
    python hamms/__init__.py
    
    Or use the HammsServer class to start and stop the server on command.
    from hamms import HammsServer
    
    class MyTest(object):
        def setUp(self):
            self.hs = HammsServer()
            self.hs.start()
    
        def tearDown(self):
            self.hs.stop()
  2. Make requests and test your client. See the reference below for a list of supported failure modes.
By default, Hamms uses ports 5500-5600. In the future, this port range may be configurable.

Source:: https://github.com/kevinburke/hamms

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 15, 2014

Tools: Radare - Forensic Android Tool

Radare project started as a forensics tool, an scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..
radare2 is portable.

Architectures:
6502, 8051, arm, arc, avr, bf, tms320 (c54x, c55x, c55+), gameboy csr, dcpu16, dalvik, i8080, mips, m68k, mips, msil, snes, nios II, sh, sparc, rar, powerpc, i386, x86-64, H8/300, malbolge, T8200
File Formats:
bios, dex, elf, elf64, filesystem, java, fatmach0, mach0, mach0-64, MZ, PE, PE+, TE, COFF, plan9, bios, dyldcache, Gameboy and Nintendo DS ROMs
Operating Systems:
Android, GNU/Linux, [Net|Free|Open]BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, FirefoxOS
Bindings:
Vala/Genie, Python (2, 3), NodeJS, LUA, Go, Perl, Guile, php5, newlisp, Ruby, Java, OCAM
Features:
  • Multi-architecture and multi-platform
    • GNU/Linux, Android, *BSD, OSX, iPhoneOS, Windows{32,64} and Solaris
    • i8080, 8051, x86{16,32,64}, avr, arc{4,compact}, arm{thumb,neon,aarch64}, c55x+, dalvik, ebc, gb, java, sparc, mips, nios2, powerpc, whitespace, brainfuck, malbolge, z80, psosvm, m68k, msil, sh, snes, gb, dcpu16, csr, arc
    • pe{32,64}, te, [fat]mach0{32,64}, elf{32,64}, bios/uefi, dex and java classes
  • Highly scriptable
    • Vala, Go, Python, Guile, Ruby, Perl, Lua, Java, JavaScript, sh, ..
    • batch mode and native plugins with full internal API access
    • native scripting based in mnemonic commands and macros
  • Hexadecimal editor
    • 64bit offset support with virtual addressing and section maps
    • Assemble and disassemble from/to many architectures
    • colorizes opcodes, bytes and debug register changes
    • print data in various formats (int, float, disasm, timestamp, ..)
    • search multiple patterns or keywords with binary mask support
    • checksumming and data analysis of byte blocks
  • IO is wrapped
    • support Files, disks, processes and streams
    • virtual addressing with sections and multiple file mapping
    • handles gdb:// and rap:// remote protocols
  • Filesystems support
    • allows to mount ext2, vfat, ntfs, and many others
    • support partition types (gpt, msdos, ..)
  • Debugger support
    • gdb remote and brainfuck debugger support
    • software and hardware breakpoints
    • tracing and logging facilities
  • Diffing between two functions or binaries
  • Code analysis at opcode, basicblock, function levels
    • embedded simple virtual machine to emulate code
    • keep track of code and data references
    • function calls and syscall decompilation
    • function description, comments and library signatures
Source:: http://www.radare.org/y/?p=download


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: MeterSSH – Meterpreter over SSH

As penetration testers, it’s continual to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.
MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.

Source:: https://www.trustedsec.com/november-2014/meterssh-meterpreter-ssh/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 13, 2014

Tools: Simple-Rootkit - A simple attack against gcc and Python via kernel module, with highly detailed comments.

A simple attack via kernel module, with highly detailed comments.
Here we'll compile a kernel module which intercepts every "read" system call, searches for a string and replaces it if it looks like the gcc compiler or the python interpreter. This is meant to demonstrate how a compromised system can build a malicious binary from perfectly safe source code.
For more information see: http://linux-poetry.com/blog/12/
Also check out: http://memset.wordpress.com/2010/12/03/syscall-hijacking-kernel-2-6-systems/

Instructions

Install your kernel headers
sudo apt-get install linux-headers-$(uname -r)
Run make
cd simple-rootkit && make
Load the module
sudo insmod simple-rootkit.ko
Compile any C or run any Python script and all instances of the string "World!" will now read as Mrrrgn.
gcc hello.c -o hello
./hello 
 
Source:: https://github.com/mrrrgn/simple-rootkit 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.